DNSSEC Test
Welcome to my DNSSEC test page. You can use the information here to test and verify your DNSSEC validator. You may have arrived here through different hostnames but the important two are these:
on most systems behind a non-validating resolver, both these links should work, but if you use DNSSEC, the first one should work, but the second should not.
Since I now have a secure delegation from .nl, a default config with the root key should work. Or rather, not work, in the case of the second link.
There is also an NSEC3 version of this
Test Tree
I also created a complete tree to test your chaser/tracer/verifier/whatever with. At the moment it goes down 4 levels from dnssec.tjeb.nl.
Every zone has 6 subzones. The DS record for the delegation will for each of them (except 'ok') have a problem:
- ok these are signed correctly.
- nods The DS for this zone is missing
- bogussig the RRSIGs of the DS records for these zone contain bad signature data.
- sigexpired the RRSIGs of the DS records for these zones have an expiration date in the past.
- signotincepted the RRSIGs of the DS records for these zones have an inception date in the future.
-
unknownalgorithm
the RRSIGS of the DS records for these zones are signed correctly (with a known algorithm), but have the algorithm field set to another value.
The result is that you can test your programs with a range of domains, for example:
- ok.ok.ok.dnssec.tjeb.nl
- ok.ok.nods.ok.dnssec.tjeb.nl
- bogussig.ok.dnssec.tjeb.nl
- ok.bogussig.ok.ok.dnssec.tjeb.nl
- unknownalgorithm.ok.sigexpired.ok.dnssec.tjeb.nl
- signotincepted.bogussig.sigexpired.bogussig.dnssec.tjeb.nl
- bogussig.dnssec.tjeb.nl
- sigexpired.dnssec.tjeb.nl
- signotincepted.dnssec.tjeb.nl
- unknownalgorithm.dnssec.tjeb.nl